Why is the scanner not able to log into my devices?

If your device's PID (see https://www.cisco.com/c/en/us/products/unique-device-identifier-udi.html ) is not currently listed as supported by the scanner (even if the PID is just slightly different or carries additional letters at the end), you can use the Feedback > Feature Request form at the bottom of the Active Advisor portal to request our engineering team to add support for your device type. You also have the option to manually register a device via it's "show" command outputs using the IOS Config Upload tool, or register devices via by their Serial Number(s). Cisco also offers another tool that can help manage your Cisco device lifecycles at https://cway.cisco.com/mydevices

When logging into each device, scanner will try each set of username and password credentials that you supply until it finds one that works, or until all sets have been tried (up to the maximum number of retry times that you specify). If some of the devices you are scanning in a single scan use different sets of credentials, click the More button on the Scanner screen to enter multiple credential sets.

If a set of credentials does not have level 15 privileged access on a device running IOS, you will need to specify an enable password separately within the credentials window (shown below). You should leave the Username field blank, and only provide the enable password within any password field; you can specify username/password sets and enable passwords in any order.

Passwords with no accompanying username specified will be assumed to be enable passwords, and will be tried (in order) when another set of credentials gains access to a device but does not provide privileged access.

In addition, the response time varies among devices. You can try setting longer values for the timeout/retry settings:

All credentials will be tried until a working set is found. If the Connection Retry option is set higher than 0, all of the credentials will be re-tried this many times. Sometimes, authentication delays can be worked around using this method.

Please note: Devices configured for access only via SSH or the insecure Telnet protocol (no ip http server / no ip http secure-server) and having RADIUS or TACACS+ authentication configured, or that are configured with alternative username/password prompts, may not currently be supported by the scanner.

To work around these issues, you have the option of (temporarily) enabling the HTTPS server on the device (which doesn't use these prompts), or to configure your remote AAA server, or aaa authentication commands, to serve the prompts exactly as "Username:" and "Password:". When not using a remote authentication service, please see IOS Authentication Commands for details on setting "aaa authentication username-prompt" and "aaa authentication password-prompt" IOS commands to supply these prompts.

Please also refer to the IOS command "privilege level" for additional hints on configuring level 15 privileges for users under various authentication schemes (local, radius, etc). For some models of ASA security devices which are supported by Active Advisor, these devices provide different login prompts, generally "login as:" and "username@ip's password:", and do not need to be altered to work with Active Advisor.

Please note: Cisco Wireless Lan Controllers (WLCs) can take a while to respond to SSH connection attempts. Please see below for instructions on raising the initial Connection Timeout to 20 (seconds) in order to allow scanner to connect to these devices using SSH, or alternatively you can enable telnet on the device.

Access Points (APs) that are connected to WLCs will need to use the same credentials as the WLC, or have no password set, in order for the Active Advisor scanner to connect to them.

Please note: Usernames and passwords are not sent to Cisco, and stay only on the local computer, while the scanner program is running.